Source: libvncserver Version: 0.9.11+dfsg-1.2 Severity: grave Tags: security upstream Justification: user security hole
Hi, The following vulnerabilities were published for libvncserver, stretch is not affected by those CVEs as no inocomplete fix was ever applied there yet in a released version. When issuing the DSA we should make sure to include the complete fixes for CVE-2018-20019 and CVE-2018-15127. Details in [3]. CVE-2018-20748[0]: Incomplete fix for CVE-2018-20019 CVE-2018-20749[1]: Incomplete fix for CVE-2018-15127 CVE-2018-20750[2]: Incomplete fix for CVE-2018-15127 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-20748 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20748 [1] https://security-tracker.debian.org/tracker/CVE-2018-20749 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20749 [2] https://security-tracker.debian.org/tracker/CVE-2018-20750 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20750 [3] https://github.com/LibVNC/libvncserver/issues/273#issuecomment-459040241 Regards, Salvatore